env-mask
A VS Code extension (unpublished) that automatically masks sensitive values in environment files to protect secrets from shoulder surfing and accidental exposure.
Environment variables with values safely masked
Click on any masked value to temporarily reveal it
What it does
env-mask automatically detects and masks sensitive values in .env
files, replacing them with configurable masking characters (like ••••••••••
).
This somewhat prevents accidental flashes of API keys, database passwords, and other secrets for example when:
- Working in public spaces
- Taking screenshots
Features
- Masking: Instantly masks values in
.env
files when opened
- Click to Reveal: Click on any masked value to temporarily reveal it
- Auto-Hide: Automatically re-mask revealed values after a configurable delay
- Customizable: Configure masking character, length strategy, and file patterns
- Multi-File Support: Works with
.env
, .env.local
, .env.production
, etc.
- Blacklist Support: Exclude specific files or patterns from masking
- Real-time: Instantly applies to newly opened files
Installation (still unpublished)
- Open VS Code
- Go to Extensions (Ctrl+Shift+X)
- Search for "env-mask"
- Click Install
Or install from the command line:
code --install-extension env-mask
Usage
Basic Usage
- Open any
.env
file - values are automatically masked
- Click towards the tail of a masked value to reveal it temporarily
- Use Command Palette (Ctrl+Shift+P) for additional commands:
env-mask: Toggle Masking feature on/off
env-mask: Reveal All Values
env-mask: Mask All Values
Supported File Patterns
By default, the extension works with:
.env
.env.local
.env.development
.env.production
.env.test
Configuration
Access settings via File → Preferences → Settings, then search for "env-mask":
Masking Character
"env-mask.eb_maskingCharacter": "•"
Character used for masking (default: •
)
Masking Strategy
"env-mask.eb_maskingLengthStrategy": "eb_fixedLength"
eb_fixedLength
: Use a fixed number of characters
eb_proportionalLength
: Match the original value length
Fixed Mask Length
"env-mask.eb_fixedMaskLength": 8
Number of masking characters when using fixed length strategy (5-100)
Auto-Hide Delay (ms)
"env-mask.eb_autoHideDelay": 5000
Milliseconds before auto-hiding revealed values (0 = no auto-hide, max: 10000)
File Patterns
"env-mask.eb_enabledFilePatterns": [
".env",
".env.local",
".env.development",
".env.production",
".env.test"
]
File patterns where masking should be enabled
Blacklisted Files
"env-mask.eb_blacklistedFiles": [
"public.env",
"*.example.env"
]
File patterns to exclude from masking (supports wildcards)
Commands
Command |
Description |
env-mask: Toggle Masking feature on/off |
Enable/disable the entire extension |
env-mask: Reveal All Values |
Show all values in the current file |
env-mask: Mask All Values |
Hide all values in the current file |
The original file content is never modified - masking is purely visual through VS Code's decoration system.
This also means that the extension has limitations that are addressed below.
Known Limitations
- Startup Delay: Takes 3-5 seconds to activate when VS Code starts with
.env
files open
- Tab Switching: Brief exposure when switching between tabs
- Cursor Positioning: Some edge cases with cursor placement at line endings
- Click Detection: Click detection area could be more precise
See limitations.md for detailed information.
Development
npm install
npm run compile
Testing
# Press F5 to launch extension development host
Building
npm run vscode:prepublish
The extension recognizes standard .env
file format:
#comments are ignored
API_KEY=your-secret-here #this value gets masked
DB_PASSWORD=super-secret-pwd #this too
PORT=3000 #and this
#empty lines are ignored, comments as well
ANOTHER_SECRET=masked-value #this as well
Supported:
- Standard
KEY=VALUE
format
- Comments (starting with
#
or //
)
- Empty lines
- Various quote styles in values
Not supported by design :
export
statements
- Multi-line values
- Complex shell substitutions
Security Note
This extension provides visual security by hiding values from view.
- Never commit real secrets to version control
- Use proper secret management systems in production
- Consider this extension as protection against accidental exposure, not a security measure against malicious access